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Introduction 

The  concern  of  this  paper  is  a  set  of  potentially  faulty  processes  that  engage  in  a  distributed 
computation  to  agree  on  some  piece  of  information.  Each  process  enters  the  computation  with  an 
initial  value.  The  computation  returns  a  common  result  value  to  each  correct  process.  If  all  correct 
processes  begin  the  computation  with  identical  initial  values,  then  the  result  value  equals  the  initial 
value.  , 

The  computation  can  be  briefly  characterized  as  follows.  The  computation  is  fully  distributed 
and  symmetric.  It  includes  several  rounds  of  synchronous  message  exchange  over  a  completely 
connected,  totally  reliable  communications  network.  The  correct  processes  communicate  only 
through  messages.  The  communications  network  correctly  identifies  the  sender  of  each  message  to 
the  recipient  of  the  message.  Processes  are  assumed  to  have  no  signature  ability  (authentication). 
That  is,  there  is  no  immediate  way  of  detecting  whether  or  not  a  relayed  message  has  been  altered. 

A  process  fails  if  it  does  not  successfully  perform  the  actions  prescribed  by  the  agreement 
algorithm.  No  assumptions  are  made  restricting  the  messages  sent  by  faulty  processes.  One  can 
imagine  that  all  faulty  processes  act  maliciously,  in  collusion,  and  with  magical  knowledge  of  the  state 
of  the  distributed  system. 

A  computation  that  functions  as  described  above  solves  the  Byzantine  generals  problem 
without  authentication  [3].  (Authenticated  protocols  protect  relayed  messages  from  alteration.)  Let  P 
be  the  number  of  processes  that  engage  in  the  agreement  computation  and  let  T  be  an  upper  bound 
on  the  number  of  processes  that  may  fail  during  the  agreement  computation.  Byzantine  agreement 
without  authentication  requires  P>3T  [6],  and  cannot  be  achieved  in  fewer  than  T  + 1  rounds  [4]. 

A  less  general  formulation  of  the  problem  assumes  that  a  distinguished  process  transmits 
initial  values  to  the  other  processes.  This  paper  makes  no  assumption  about  the  source  of  the 


processes's  initial  values. 
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This  paper  describes  a  method  for  extending  a  binary  Byzantine  agreement  algorithm  to  reach 
agreement  on  values  from  an  arbitrary  domain  V.  Any  binary  algorithm  that  does  not  require  a 
distinguished  transmitter  process  may  be  used.  Two  rounds  are  prepended  to  the  binary  algorithm. 
In  the  first  round,  each  process  sends  every  other  process  its  initial  value.  In  the  second  round,  each 
process  broadcasts  a  single  bit  of  information  by  sending  or  not  sending  null  messages.  The  third  and 
subsequent  rounds  follow  the  chosen  binary  algorithm. 

Previous  algorithms  for  reaching  Byzantine  agreement  on  values  from  an  arbitrary  domain  V 
require  processes  to  send  messages  whose  length  depends  on  the  size  of  V  in  each  round  of  the 
computation.  Using  the  extension  described  in  this  paper,  messages  whose  length  depends  on  the 
size  of  V  are  sent  only  in  the  first  round.  Since  the  time  that  must  be  allotted  each  round  of  the 
computation  depends  in  part  on  the  length  of  messages  sent  in  the  round,  the  extension  enables 
significant  savings  when  the  domain  is  large. 

The  prepended  rounds  are  an  integral  part  of  the  extended  computation.  In  particular, 
agreement  can  be  guaranteed  only  if  no  more  than  T  processes  fail  during  the  computation,  including 
the  first  two  rounds,  where  P>3T.  (The  chosen  binary  algorithm  may  make  additional  assumptions.) 

The  body  of  this  paper  contains  three  sections:  a  description  of  the  extension,  a  proof  of  its 
correctness,  and  a  discussion  of  implementation  concerns  and  performance  characteristics. 

Description  of  the  Extension 

In  the  first  round,  each  process  sends  its  initial  value  to  every  other  process.  A  process  is  said 
to  be  perplexed  if,  in  the  first  round,  it  receives  at  least  as  many  as  (P  -  T)/2  initial  values  different 
from  its  own.  Processes  that  are  not  perplexed  are  said  to  be  content.  In  the  second  round,  each 
perplexed  process  sends  a  message  to  every  other  process.  The  semantics  of  this  message  is  just  "I 
am  perplexed". 


Each  process  maintains  three  local  variables:  two  arrays  indexed  by  process  number  and  a 
boolean.  These  variables  are  are  assigned  values  during  the  first  two  rounds.  For  process  j,  and  i*j, 


these  variables  are  defined  as  follows: 

v(j)  The  process's  initial  value. 

v(i)  The  initial  value  received  from  process  i. 

p(j)  A  boolean  that  is  set  true  if  and  only  if  process  j  is  perplexed,  that  is,  v(j)*v(i)  for  at 
least  as  many  as  (P  -  T)/2  distinct  values  of  i. 

p(i)  A  boolean  that  is  set  true  if  and  only  if  process  i  sent  a  message  claiming  it  is 
perplexed. 

alert  A  boolean  that  is  set  true  if  and  only  if  at  least  as  many  as  P  -  2T  elements  of  p  are  true. 

The  binary  computation  is  used  to  reach  agreement  on  alert.  If  the  binary  computation  agrees 
alert  =  true,  there  are  correct  processes  with  different  initial  values  from  V.  In  this  case,  all  correct 
processes  use  a  predefined  default  value  from  V  as  the. result  of  the  extended  computation.  If 
agreement  is  alert  =  false,  then  all  correct  content  processes  have  the  same  initial  value  from  V.  This 
value  is  the  result  of  the  extended  computation.  Perplexed  processes  deduce  this  result  by  using  the 
initial  value  that  is  common  to  a  majority  of  the  content  processes.  That  is,  each  perplexed  process 
tabulates  as  votes  the  values  v(j)  for  which  p(j)  is  false.  The  majority  vote  is  for  the  value  favored  by 
the  correct  content  processes. 

Proof  of  Correctness 

The  extended  computation  is  correct  if  (1)  all  correct  processes  obtain  the  same  result  value, 
and  (2)  the  result  value  equals  the  common  initial  value  whenever  all  correct  processes  begin  with  the 
same  initial  value. 

The  second  claim  is  easily  proved.  If  all  correct  processes  have  the  same  initial  value  from  the 
domain  V,  then  no  correct  process  is  perplexed  and  all  correct  processes  have  alert  =  false.  The 
binary  computation  agrees  alert  =  false  and  all  correct  processes,  which  are  content,  use  their  initial 
value  as  the  result. 

The  first  claim  has  two  cases:  the  binary  computation  agrees  alert  =  true  or  alert  =  false.  In  the 


former  case,  all  correct  processes  select  the  default  value  as  the  result  of  the  extended  computation. 
In  the  latter  case,  it  is  necessary  to  show  that  all  content  processes  have  the  same  initial  value  and 
that  this  value  is  deduced  by  all  the  perplexed  processes.  This  will  now  be  demonstrated. 

Any  subset  of  more  than  (P  +  T)/2  processes  contains  a  majority  of  the  correct  processes. 
From  this  basic  fact,  it  follows  that  each  content  process  has  the  same  initial  value  as  a  majority  of  the 
correct  processes.  (Observe  that  (P  +  T)/2  and  (P  -  T)/2  sum  to  P.)  Since  there  cannot  be  two 
distinct  majorities,  all  content  processes  have  the  same  initial  value. 

Since  the  result  of  the  binary  computation  is  alert  =  false,  there  are  at  least  T  + 1  correct 
content  processes,  for  otherwise  there  would  be  at  least  P-2T  correct  perplexed  processes  and  all 
correct  processes  would  be  alert  and  the  result  of  the  binary  computation  would  be  alert  =  true.  Each 
perplexed  process  has  p(j)  false  for  all  content  processes  and  possibly  for  some  incorrect  processes. 
Since  there  are  at  most  T  incorrect  processes,  the  content  processes  are  a  majority  of  those  for  which 
p(j)  is  false.  Taking  a  majority  vote  of  the  v(j)  for  which  p(j)  is  false  produces  the  value  shared  by  the 
content  processes. 

Implementation  and  Performance  Analysis 

Many  binary  algorithms  favor  one  of  the  two  values  in  the  binary  domain.  The  binary 
algorithms  (without  authentication)  described  in'  [1 ,2,3,5]  all  reach  agreement  for  the  favored  value 
whenever  more  than  T  correct  processes  begin  with  that  value.  (Assume  that  the  threshold  LOW 
equals  T+  1  in  [1,2,5].) 

In  the  extended  algorithm,  the  second  round  together  with  the  binary  computation  can  be 
interpreted  as  reaching  binary  agreement  on  which  processes  are  perplexed,  providing  agreement  is 
reached  for  perplexed  whenever  (P  -  T)/2  or  more  correct  processes  are  initially  perplexed.  If  the 
chosen  binary  algorithm  exhibits  the  bias  described  above,  the  second  round  of  the  extended 
algorithm  can  be  omitted.  (The  chosen  binary  algorithm  must  require  that  each  process  sends  all 
other  processes  initial  binary  values  so  that  the  values  in  the  array  p  can  be  set.) 


%  \j»  -*  -v  -V  , 


A  good  multivalued  Byzantine  agreement  algorithm  is  presented  in  [5].  Agreement  is  reached 
in  2T  +  4  rounds  and  requires  0(P3)  messages  each  comprising  O(log  P  log  |V|)  bits.  The  extension 
described  in  this  paper  using  the  algorithm  in  [5]  to  reach  binary  agreement  reaches  multivalued 
agreement  in  2T  +  5  rounds  (the  second  round  of  the  extension  is  not  needed)  and  requires  0(P  ) 
messages  having  0(log  P)  bits  and  0(P2)  messages  having  0(log  |V|)  bits.  The  latter  messages  are 
sent  only  in  the  first  round. 

The  above  analysis  shows  that  the  extension  of  the  binary  algorithm  in  [5]  yields  a  multivalued 
algorithm  that  is  cheaper  in  message  bits  than  the  multivalued  algorithm  described  in  [5].  The 
extension  enables  this  savings  because  only  in  the  first  round  does  it  send  messages  whose  length 
depends  on  the  size  of  the  value  domain.  The  actual  time  savings  possible  depends  on  a  variety  of 
factors,  including  the  cost  of  an  additional  communication  round  relative  to  the  cost  of  sending  large 
messages,  the  size  of  the  value  domain,  and  the  bandwidth  of  the  communications  network. 

Conclusion 

This  paper  shows  that  reaching  Byzantine  agreement  on  values  from  an  arbitrary  domain  is 
not  essentially  more  difficult  than  reaching  binary  Byzantine  agreement,  except  for  the  necessity  of 
initially  exchanging  and  comparing  values.  Using  the  technique  described  in  this  paper  to  extend  a 
good  binary  algorithm  yields  a  multivalued  algorithm  faster  than  those  previously  published  when 
agreement  must  be  reached  on  large  sets  of  data. 
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